Wireless Carriers Have A SIM Hijacking Problem They Don't Want To Talk About

from the nothing-to-see-here dept

Wireless carriers are coming under increasing fire for failing to protect their users from the practice of SIM hijacking. The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim's cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Back in February, a man sued T-Mobile for failing to protect his account after a hacker pretending to be him, ported out his phone number, then managed to use his identity to steal thousands of dollars worth of cryptocoins.

But the problem appears to be even worse than originally believed. A new report takes a closer look at the problem, exploring how identity thieves use SIM hijacking to do everything from cleaning out bank accounts, to stealing valuable Instagram usernames and selling them for Bitcoin. The process isn't particularly complicated, and more often than not involves the social engineering of a cellular carrier's support employees. The entire process tap dances around protections like two-factor authentication, and highlights the peril of relying too heavily on a single cell phone number for identity verification in apps and other services.

Carriers, for their part, don't much like to publicly talk about the problem. In part because it's occasionally their employees that are helping to facilitate the scams for a little extra cash:

"Thug and Ace explained that many hackers now recruit customer support or store employees who work at T-Mobile and other carriers and bribe them $80 or $100 to perform a SIM swap on their target. Thug claimed they got access to the T-Mobile tool by bribing an insider, but Motherboard could not verify this claim. T-Mobile declined to answer questions on whether the company had any evidence of insiders being involved in SIM swap scams."

Quite often, those cellular carrier employees are more than happy to provide hackers with direct access to cellular carrier support systems:

"(One hacker) said they do SIM swaps by using an internal T-Mobile tool to look up subscribers’ data. During our chat, the hacker showed me a screenshot of them browsing the tool. I gave (the hacker) my phone number as a test, and the hacker sent back a screenshot that contained my home address, IMSI number (a standardized unique number that identifies subscribers), and other theoretically secret account information. Thug even saw the special instructions that I gave T-Mobile to protect my account.

As is their usual MO, wireless carriers don't much want to have a serious conversation about the problem, and often insist that it's only impacting a few, rare accounts (in stark contrast to the laundry list of increasing complaints seen over the last few years):

"Motherboard reached out to AT&T, Verizon, Sprint, and T-Mobile—the big four US cell phone providers—requesting data on the prevalence of SIM swapping. None of them agreed to provide such information. An AT&T spokesperson said this kind of fraud “affects a small number of our customers and this is rare for us,” but did not respond when asked to clarify what “small number” means.

There's some steps users can take, including changing passwords frequently. T-Mobile users can also, for example, call 611 from your cellphone (or 1-800-937-8997), then tell a support staffer that you want to create a “port validation” passcode. Still, like the SS7 exploit that has been in the wild for years, it's pretty clear that wireless carriers might want to spend a little less time on mindless mergers and consolidation, killing net neutrality, and jacking up prices, and a little more time protecting their customers from security threats.